VPN build with Web GUI

SgtPepper, in your new mod, you cannot have two VPN Servers running on the same port, with one UDP and one TCP. In your previous version, I could without any problems. Just wanted to see if it was something you implemented or part of the new OpenVPN version. Anyways, looks good. Will test it and see how it performs.

i'd like to use this firmware to setup a router-to-router vpn connection. are there any nuances of which i need to be aware that are documented in this 1200 post thread?

humongous threads are hell. if i had the time i would setup a dedicated forum for this firmware so that information could more easily be shared. does anyone else have the juice to do this? i'd happily contribute financially to see this happen.

So is your client another TomatoVPN router or a computer? If it is a computer, then you don't need to worry about the Client section in the GUI. If it is a TomatoVPN router, then you shouldn't be dealing with an ovpn file at all. For now, I'll assume the former.

You can just change the "tap0" to "tun", and you should also change the "ifconfig 10.8.0.2 255.255.255.0" to "ifconfig 10.8.0.2 10.8.0.1". If you continue to have problems, we'll start debugging.

Click to expand...

My client is a computer. I did implement your change suggestions, but I still don't seem to be able to reach anything within my network. Are you supposed to add custom routes in the custom config to be able to "see" your network on the VPN connection? Thanks for your help so far.
EDIT: Tried adding route-gateway 192.168.1.1, still cannot ping this IP.

SgtPepper, in your new mod, you cannot have two VPN Servers running on the same port, with one UDP and one TCP. In your previous version, I could without any problems. Just wanted to see if it was something you implemented or part of the new OpenVPN version. Anyways, looks good. Will test it and see how it performs.

Click to expand...

I didn't do anything relevant to that. If it has changed, it's probably in OpenVPN.

My client is a computer. I did implement your change suggestions, but I still don't seem to be able to reach anything within my network. Are you supposed to add custom routes in the custom config to be able to "see" your network on the VPN connection? Thanks for your help so far.
EDIT: Tried adding route-gateway 192.168.1.1, still cannot ping this IP.

Click to expand...

With the tunnel connected, capture the routing table on the router and on the client. Also, see if there is anything suspicious in either's logs.

Second I have a quick question (would be great to get the answer today as I'm leaving tomorrow):

I want to set openvpn server to listen on UDP port 53 but I cannot seem to make it work, always conflicting with dnsmasq. Also tried to set openvpn to listen on 1194 UDP port and then to forward external port 53 to internal 1194 but that also not worked.

The purpose of this is as you may figured out to get internet access in hotspots where they allow DNS traffic.
Thank you in advance!

"--port-share host port
When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at hostort. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh.

Not implemented on Windows. "

**Note: When adding any of the options to your server-config.ovpn (the custom configuration box in tomato), make sure to exclude the first two dashes --> --port-share will be written as port-share in the config box.

Hi, SgtPepperKSU
I've been using some Free VPN service(ex, UltraVPN) now a day. These services are implemented by OpenVPN customized setup packages, which only need you to enter your account name and pswd when you click connect. I'd like to know how to make your MOD works like this way? It'll be easy for noob users and simplify the setup procedures...
Thank you and have a good day.

Second I have a quick question (would be great to get the answer today as I'm leaving tomorrow):

I want to set openvpn server to listen on UDP port 53 but I cannot seem to make it work, always conflicting with dnsmasq. Also tried to set openvpn to listen on 1194 UDP port and then to forward external port 53 to internal 1194 but that also not worked.

The purpose of this is as you may figured out to get internet access in hotspots where they allow DNS traffic.
Thank you in advance!

Click to expand...

I've tried to help people get that exact thing working before, but, alas, it does not appear to be possible. It appears OpenVPN has to be listening on the same port internally and externally, and you can't have it listening to UDP 53 internally due to DNS. So, UDP port 53 is out.

Hi, SgtPepperKSU
I've been using some Free VPN service(ex, UltraVPN) now a day. These services are implemented by OpenVPN customized setup packages, which only need you to enter your account name and pswd when you click connect. I'd like to know how to make your MOD works like this way? It'll be easy for noob users and simplify the setup procedures...
Thank you and have a good day.

Click to expand...

Well, you could use client-cert-not-required and user-auth-pass to accomplish that. See the OpenVPN manual for details. However, you should know that that would be much less secure.

ntest7 I could live without dnsmasq but I've tried stopping it manually by issuing kill PID (after checking the box "do not restart dnsmasq if it dies") and then run OpenVPN on port 53 but still OpenVPN has some issues with this and thus it starts it cannot work .

ntest7 I could live without dnsmasq but I've tried stopping it manually by issuing kill PID (after checking the box "do not restart dnsmasq if it dies") and then run OpenVPN on port 53 but still OpenVPN has some issues with this and thus it starts it cannot work .

Click to expand...

Maybe you can leave dnsmasq running but disable it's DNS functions. You can add
port=0
to the Advanced>DHCP/DNS>dnsmasq custom settings box for that.

I've been trying all day long and googling, but couldn't set up vpn with tomato 1.25vpn3.4 .
I'm using or at least want to : tap over tcp. Generated the keys as should, no HMAC authentication, still, no avail.
I always get status=1 error messages and the connection is interrupted.error log at pastebin

I've been trying all day long and googling, but couldn't set up vpn with tomato 1.25vpn3.4 .
I'm using or at least want to : tap over tcp. Generated the keys as should, no HMAC authentication, still, no avail.
I always get status=1 error messages and the connection is interrupted.error log at pastebin

Can you help please, cause I've tried to solve it but no avail. Thanks.

Click to expand...

Start with the basics and try to make a connection, then worry about adding the rest. Get rid of the "redirect gateway" stuff, the custom cipher, compression, etc. Also, I don't know if the the "auth none" in the client configuration is compatible with the (default) "auth sha1" from the server configuration.

recently i started running rsnapshot (a perl backup script that uses rsync) over an openvpn connection. this backup routine is processing 60,000+ files daily (this may be "no-big-deal" but it's the most significant i/o i've attempted to move across an openvpn link).

today i noticed a new networking lag and was wondering about the possibility of tomato/openvpn becoming overwhelmed in some way that might be affecting general *non-vpn* tomato performance. does anyone have any tomato/openvpn stress-testing (deliberate or not) info they could share?

I can ping the server endpoint(10.8.0.1) from the Client side, but cannot ping the Client endpoint(10.8.0.2) from the Server side. Is there some option I can set to have the VPN act as a bidirectional router between my two subnets?

It appears to be a client issue since the GUI VPN Server connected to a DDWrt OpenVPN client worked fine in both directions.

Another question - I have to add the command

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.1

to the client to enable routing from the client subnet. Is there an OpenVPN up script I can put this command into? If so, where is it?

I can ping the server endpoint(10.8.0.1) from the Client side, but cannot ping the Client endpoint(10.8.0.2) from the Server side. Is there some option I can set to have the VPN act as a bidirectional router between my two subnets?

It appears to be a client issue since the GUI VPN Server connected to a DDWrt OpenVPN client worked fine in both directions.

Another question - I have to add the command

route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.1

to the client to enable routing from the client subnet. Is there an OpenVPN up script I can put this command into? If so, where is it?

Thank you!

Click to expand...

Your routing would work automatically if you used TLS instead of static key. Have you considered using that?

Everything works great and fine, but I don't know if it's normal that the CPU when using the tunnel doesn't peak at 100%, max 40-50, and the throughput is roughly 100KB/s.
So i see, that the bottleneck is not the cpu, not the upload / upload speeds, what is it then ?
Thanks.

Hi all
I have Tomato Firmware v1.25vpn3.4.4a8380cb on two Linksys WRT54GL routers.
Router A 192.168.0.0/24 works as a VPN Clinet (TUN/TLS)
Router B 192.168.1.0/24 worsks as a VPN Server (TUN/TLS)
All works fine ping between networks and all network services.
A have forwarded one Internet-Extern IP address from VPN Client network via Server VPN gateway.
I addedd route xx.xx.xx.xx 255.255.255.255 on the Custom Configuration on VPN Client. And it works perfectly.
All internet traffic from net A to that IP address go via VPN server.
Now I vill forward only TCP port 25 from net A via VPN server - is that possible? How?
Please help
Best regards

Your routing would work automatically if you used TLS instead of static key. Have you considered using that?

Click to expand...

I tried TLS, the result was much the same as with the static key. I can access the Server subnet from the Client subnet, but I cannot access the Client subnet from the Server subnet.

I have disabled the GUI VPN and used static key Init and Firewall scripts to get VPN routing between the two subnets. The scripts are simple, nothing too fancy.

I can post my scripts if the VPN GUI has a known problem routing between
subnets. Otherwise, the cause is some fluke in my setup, though it is pretty much as default as you can get. I like the VPN GUI and am willing to help debug it if that is desired.

I tried TLS, the result was much the same as with the static key. I can access the Server subnet from the Client subnet, but I cannot access the Client subnet from the Server subnet.

I have disabled the GUI VPN and used static key Init and Firewall scripts to get VPN routing between the two subnets. The scripts are simple, nothing too fancy.

I can post my scripts if the VPN GUI has a known problem routing between
subnets. Otherwise, the cause is some fluke in my setup, though it is pretty much as default as you can get. I like the VPN GUI and am willing to help debug it if that is desired.

Thank you, SgtPepperKSU, for an OpenVPN build of Tomato!

Click to expand...

In order to access the client subnet from the server subnet, you have to uncheck the "NAT" option on the client router and give the server router an idea as to the subnet behind the client router. The easiest way to do the latter is by setting up the "Client-specific options" section on the server VPN settings. That is only available for TLS, though. For static key, you'll need to set up routes manually in the custom config section.

For what it's worth, I have an always connected (zero problems) site-to-site (plus occasional individual clients) connection using TUN/UDP/TLS (with client-specific options table filled in) and nothing in my custom configuration fields. The routing is handled in both directions automatically by the GUI.

Everything works great and fine, but I don't know if it's normal that the CPU when using the tunnel doesn't peak at 100%, max 40-50, and the throughput is roughly 100KB/s.
So i see, that the bottleneck is not the cpu, not the upload / upload speeds, what is it then ?
Thanks.

Click to expand...

OpenVPN was designed for UDP transfer mainly, u can try to switch to "proto UDP" or u can try switching to routed, none bridged mode with TUN device.

The cpu in the WRT54GL with AES should max out at around 400kb/s, there was also a speedtest in the net using multiple configurations on the WRT54GL, just google for it.

vpn is working (he can access my routers config)
but how can we make that our xbox can see each other with system link

thank you very much for help

Click to expand...

I think XBox System Link uses broadcast messages (I've never used it, just going off a quick google search) to find the other Xboxes. There may be a way to replicate broadcasts across different subnets, but it would probably be simpler, in your case, to use TAP and have everything on the same subnet (you'll have to work out with him which IP addresses each of you can use to keep from having conflicts).

If there is a way to get System Link to work over subnet boundaries, hopefully somebody will speak up.

I think XBox System Link uses broadcast messages (I've never used it, just going off a quick google search) to find the other Xboxes. There may be a way to replicate broadcasts across different subnets, but it would probably be simpler, in your case, to use TAP and have everything on the same subnet (you'll have to work out with him which IP addresses each of you can use to keep from having conflicts).

If there is a way to get System Link to work over subnet boundaries, hopefully somebody will speak up.

Click to expand...

ok I tried to set up TAP but doesn't seem to work

my router vpn server with IP = 192.168.40.1
dhcp enabled

my friends vpn client IP set up to 192.168.40.2
everything else default but he cannot even access my router 192.168.40.1 this time

how do I set up on the same subnet... can you maybe give me an example of how to set the IPs

I have a VPN connection from my work computer to my tomato router working very well. Now I'd like to find an easy way to make the tomato router open a SOCKS proxy on a router port like 8080.

First some background: For large downloads, I want to be able to use the corporate connection to the internet, but for personal use, I would like to send internet traffic through my home tomato router. I can do this now by routing all non-local traffic through the VPN tunnel to my router, but what I'd really like is to have Internet Explorer use the corporate proxy, and have Firefox and other select programs go through my VPN connection to the tomato router, but preferably without making the VPN tunnel the default route for all network connections. I thought a good way to achieve this would be to have tomato open a port like 8080 on the router, listening as a SOCKS proxy. I know I could tunnel via ssh from my work computer, but why bother with Putty when I already have a working OpenVPN connection to my tomato router? I'd like to be able to just have 192.168.1.1:8080 be my SOCKS proxy.

A friend suggested that if I add an ssh to localhost in a tomato router script, I can have an open SOCKS proxy. If this sounds reasonable, where would I put the ssh command (in which tomato script), something like the following:

ssh -D 8080 root@localhost

Does this sound reasonable, or is there an easier way to create an open proxy on the router?

In order to access the client subnet from the server subnet, you have to uncheck the "NAT" option on the client router and give the server router an idea as to the subnet behind the client router. The easiest way to do the latter is by setting up the "Client-specific options" section on the server VPN settings. That is only available for TLS, though. For static key, you'll need to set up routes manually in the custom config section.

For what it's worth, I have an always connected (zero problems) site-to-site (plus occasional individual clients) connection using TUN/UDP/TLS (with client-specific options table filled in) and nothing in my custom configuration fields. The routing is handled in both directions automatically by the GUI.

I did run into one strange problem that has me stumped. Routing from the server subnet (192.168.1.x) to the client subnet (192.168.2.x) does work correctly if the server is in daemon mode. If I take the daemon line out of the server configuration file and restart OpenVPN, packets are routed correctly. Routing from the client subnet to the server subnet works correctly either way.

Click to expand...

This comment does not make sense, perhaps the line should read:
Routing from the server subnet (192.168.1.x) to the client subnet (192.168.2.x) does **NOT** work correctly if the server is in daemon mode.

Also, is it possible to add PPTP server function? This is particularly useful for WinXP client because there is no need to install any software on the the client machine, just give them the login and password.

Also, is it possible to add PPTP server function? This is particularly useful for WinXP client because there is no need to install any software on the the client machine, just give them the login and password.

Click to expand...

It's something I've considered, but would need to find the time to do it. It would have very little in common with what I've done, so it would mostly be starting from scratch.

hi,
first of all thanks for this awesome mod, it works perfectly for me! I've been using dd-wrt for a few month and it took me a tens of hours to setup a vpn-server for it. With this mod I set it up in about 10 minutes!

I am just wondering about the "Response to DNS" option. I'm using a bridged interface and if this option is unchecked, it responds to DNS anyway.

I also think I know why that is:
In /etc/dnsmasq.conf interface=br0 is set by default, if "Response to DNS" is checked, interface=tap21 is added to /etc/dnsmasq.conf. But when using a bridged interface, tap21 is part of br0 anyway and will therefore respond to DNS querys, right?
I don't think this is a problem, I just noticed it and wanted to let you know!

Another thing: If the clients get their IP adress and their DNS-Server via DHCP is there even a point in setting "Advertise DNS to clients"? Because I didn't set it, and when using redirect-gateway the client will use the VPN-Server as the primary DNS-Server just fine (tested on Windows 7 RC with latest OpenVPN version). I'm not sure about this one, so I'm just asking.

vpn server is started and he's router is also connected but he can't access my router or ping it

with TUN it worked

Click to expand...

TAP will not work because you and your friend are have the same network subnet (192.168.40.x). THEY MUST BE DIFFERENT. When you run on tap, the entire subnet is pushed to the client, and an ip from the host network is assigned to the client. This will create a conflict and break everything if they are the same. Tell your client to change to subnet 192.168.41.XXX. TUN works between two individual points, so it can work within the same subnet.

After you change that, quickly run through the following. If compression is enabled on the host, ensure you have 'comp-lzo yes' in the client config. If it is disabled, ensure you have 'comp-lzo no' in the client config. I'm not sure what to put if you specify adaptive compression.

hi,
first of all thanks for this awesome mod, it works perfectly for me! I've been using dd-wrt for a few month and it took me a tens of hours to setup a vpn-server for it. With this mod I set it up in about 10 minutes!

I am just wondering about the "Response to DNS" option. I'm using a bridged interface and if this option is unchecked, it responds to DNS anyway.

I also think I know why that is:
In /etc/dnsmasq.conf interface=br0 is set by default, if "Response to DNS" is checked, interface=tap21 is added to /etc/dnsmasq.conf. But when using a bridged interface, tap21 is part of br0 anyway and will therefore respond to DNS querys, right?
I don't think this is a problem, I just noticed it and wanted to let you know!

Another thing: If the clients get their IP adress and their DNS-Server via DHCP is there even a point in setting "Advertise DNS to clients"? Because I didn't set it, and when using redirect-gateway the client will use the VPN-Server as the primary DNS-Server just fine (tested on Windows 7 RC with latest OpenVPN version). I'm not sure about this one, so I'm just asking.

anyway, thanks away for this awesome mod and keep up the good work

Click to expand...

Good points. Those settings were meant for TUN and shouldn't be available for TAP (since they don't do much of anything). I'll try to remember to make them not visible if TAP is selected for the next version.

TAP will not work because you and your friend are have the same network subnet (192.168.40.x). THEY MUST BE DIFFERENT. When you run on tap, the entire subnet is pushed to the client, and an ip from the host network is assigned to the client. This will create a conflict and break everything if they are the same. Tell your client to change to subnet 192.168.41.XXX. TUN works between two individual points, so it can work within the same subnet.

After you change that, quickly run through the following. If compression is enabled on the host, ensure you have 'comp-lzo yes' in the client config. If it is disabled, ensure you have 'comp-lzo no' in the client config. I'm not sure what to put if you specify adaptive compression.

Quite the opposite. TAP is meant to work with the subnet being the same on each endpoint, and TUN is meant to work with them being different on each endpoint (though is not strictly necessary unless you want access to the server subnet).

Also, he should worry about getting pinging to work before messing around with DNS. In fact, I doubt he'd even want to push DNS at all for what he needs. But, if he did, there's a GUI option for it and no need to add a line to the custom config.

For two-way communication you need to fill out the "Manage client-specific options" table in the VPN server router with the LAN details of the various clients. Then you should make sure to uncheck the "NAT" checkbox on the client.

Then the LANs should be able to see each other fine. If you still have problems after making those settings, we'll see if we can figure something out.

192.168.0.0/24 and 192.168.1.0/24. The problem is, if I put it in like that, it crashes and is unrecoverable except through factory defaults.

There are two entries, 192.168.0.1/24 and 192.168.1.1/24

When I put the routes in like this it doesn't crash the router although its obvious that something is wrong. I stumbles across this because I hit the save button early.

Even if I remove both of those routes and put only specific hosts (192.168.0.1/32 and 192.168.1.1/32) it still doesn't work.

Thanks for your help so far, it really is appreciated.

Click to expand...

You're having problems because you're putting the server subnet in the client-specific table. This is causing 192.168.1.0/24 traffic to go over the tunnel, when you want it going over the LAN. Just put the client subnet in the client-specific table (being sure to use the commonname from the client's TLS certificate) and you should be fine.

hi,
I just bought a second WRT54GL and wanted to setup a client on it, which is connecting to another WRT54GL running an OpenVPN-Server.

Both routers have the subnet 10.17.24.0/24.
The router that is running the server is 10.17.24.254. The router that is running the client has 10.17.24.252.

I can connect just fine (log shows no errors), but I simply couldn't ping to the server, let alone the clients behind it.

After some trial-and-error I found out that everything works fine as soon as I ssh into the router and type "ifconfig tap11 up". Seems like the tap11 is down after the OpenVPN-connection has been established.

hi,
I just bought a second WRT54GL and wanted to setup a client on it, which is connecting to another WRT54GL running an OpenVPN-Server.

Both routers have the subnet 10.17.24.0/24.
The router that is running the server is 10.17.24.254. The router that is running the client has 10.17.24.252.

I can connect just fine (log shows no errors), but I simply couldn't ping to the server, let alone the clients behind it.

After some trial-and-error I found out that everything works fine as soon as I ssh into the router and type "ifconfig tap11 up". Seems like the tap11 is down after the OpenVPN-connection has been established.

Is this a bug or am I simply doing something wrong?

Click to expand...

Hmmm, that is odd. Do you have the "Server is on the same subnet" checkbox selected? Can you provide the output of ifconfig when it is in the non-working state?

And, what does it do if instead of bringing up tap11 directly, you run:

Code:

brctl addif br0 tap11
ifconfig br0 promisc up

This is what the firmware does, so if there is an error message there it would hopefully explain what's going wrong.

Click to expand...

"brctl addif br0 tap11" outputs "device tap11 is already a member of a bridge; can't enslave it to bridge br0.".
"ifconfig br0 promisc up" does nothing, it still doesnt work. Seems like bringing up br0 does not automatically bring up its interfaces (including tap11). I have a ping on the server running in the background and I see a response immediately after I type "ifconfig tap11 up".

"brctl addif br0 tap11" outputs "device tap11 is already a member of a bridge; can't enslave it to bridge br0.".
"ifconfig br0 promisc up" does nothing, it still doesnt work. Seems like bringing up br0 does not automatically bring up its interfaces (including tap11). I have a ping on the server running in the background and I see a response immediately after I type "ifconfig tap11 up".

Click to expand...

Hmmm, I know this used to work, so I wonder if the updated busybox in the last version of Tomato changed this behavior. I specifically remember originally trying to bring up the tap device directly, but having to change it to bringing up the bridge. Maybe I was working around a bug that they fixed...

In any case, I'll play around with it and fix it in the next release.

In the meantime, you can add

Code:

echo "ifconfig tap11 up" > /tmp/tap11up.sh

to your init script and

Code:

up /tmp/tap11up.sh

to your custom config (as long as you aren't using the "Accept DNS" option - if you are, we'll need to do it a little different).

my site-to-site VPN is working fine so far with the "ifconfig tap11 up"-workaround, there's is just one problem: I now have 2 DHCP-Servers in my network - the Tomato-Router running the OpenVPN-Server and the Router running the Client. Can I somehow prevent DHCP-packets from going through the VPN-tunnel, so that all PCs get their IP only from their local DHCP-Server?

my site-to-site VPN is working fine so far with the "ifconfig tap11 up"-workaround, there's is just one problem: I now have 2 DHCP-Servers in my network - the Tomato-Router running the OpenVPN-Server and the Router running the Client. Can I somehow prevent DHCP-packets from going through the VPN-tunnel, so that all PCs get their IP only from their local DHCP-Server?

Click to expand...

That one of the biggest reasons I always tell people to use TUN (with different subnets) rather than TAP unless it is explicitly needed.

I don't know off-hand how to prevent that, but I'm pretty sure Google should turn some things up for you.

Maybe a firewall rule could be added to the router hosting your device to block outgoing DHCP requests? If successful, you could put in the same rule on the other router, to contain its own DHCP requests from reaching your server/client.

I'm not great with iptables, but I'll see if I can hash something out.. I'm running a TAP+static key setup between two routers and I am seeing the same thing. For now, setting the IP and gateway addresses manually on your clients could help ensure no unintended traffic will be forwarded over the tunnel.

I've decided to try establishing a TUN/TLS connection. The machines on the client lan can access the machines on the server lan, however, the client subnet is not visible to anyone on the openvpn server lan, and server. How to solve this?

I also tried placing a file(named after the common name of my client) in the ccd folder with iroute x.x.x.x 255.255.255.0 and it did not work either.

I also tried enabling client specific options, and put in the client subnet in the list, with enable checked off, it did not work. When I checked off push, my client router froze. I also tried push "route 100.100.100.0 255.255.255.0" in my client configuration, but it did not succeed as well... I knew you could not push to a server, but tried anyway.

Which piece of the puzzle am I missing? When I uncheck "Create NAT" in the client config, I am no longer able to access the server subnet, so I have to leave it checked.

I've decided to try establishing a TUN/TLS connection. The machines on the client lan can access the machines on the server lan, however, the client subnet is not visible to anyone on the openvpn server lan, and server. How to solve this?

I also tried placing a file(named after the common name of my client) in the ccd folder with iroute x.x.x.x 255.255.255.0 and it did not work either.

I also tried enabling client specific options, and put in the client subnet in the list, with enable checked off, it did not work. When I checked off push, my client router froze. I also tried push "route 100.100.100.0 255.255.255.0" in my client configuration, but it did not succeed as well... I knew you could not push to a server, but tried anyway.

Which piece of the puzzle am I missing? When I uncheck "Create NAT" in the client config, I am no longer able to access the server subnet, so I have to leave it checked.

Click to expand...

To get server LAN -> client LAN communication, you need to do two things. Uncheck the NAT box on the client and fill in the client-specific options table on the server. Be absolutely sure, though, that you put the correct CommonName in the table (the CommonName used to create the client TLS certificate), or it won't work. You won't need to use "push" unless you want the different clients to see each other.

I'm 100% sure it is the same. What I find odd, is that the client LAN subnet does not appear in the server's routing table after the connection is established. When I try adding the route manually (my syntax: route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.8.0.2 dev tun21), it appears in the routing table, though still does not work.

I can ping 10.8.0.2 (the client router), but I cannot ping 192.168.2.1 (the client router), or reach anyone on 192.168.2.*.

I saw on the forum of an OpenVPN client I use, the following statement:

....the latest version of OpenVPN (version 2.1rc19). The OpenVPN team changed how the redirect-gateway flag functions: it now requires an argument to be specified. If none is specified, the command is ignored, and hence all traffic will not go through your VPN connection.
If you are running your own OpenVPN server you should update it so it pushes out the command "redirect-gateway def1" instead of just "redirect-gateway" (which will no longer work with newer versions of OpenVPN)

Is this taken care of automatically by the "Direct clients to redirect Internet traffic" checkbox, or does the updated command (with def1) need to be set manually?

It's built in to the DNS options. If you have a WINS server IP set up in the server router, then selecting "Advertise DNS to clients" will send WINS along with the rest of the DNS stuff. If you then have "Accept DNS configuration" enabled on the client, it will accept the WINS setting from the server, and it will be as if you had entered that IP on the client (until it disconnects, of course).

Hi,
first of all, thank you for this fantastic GUI, it really helps.
Two problems I discovered while playing with your mode and WRT54GL:

-I use 2048bit keys; when I tried to configure 2nd server, Tomoato refused to write the proper config. Server crt was always empty. I tried several times, and the only way to manage was shortening of all keys/crts just to lines between BEGIN-END. Is it a lack of nvram area for keys? Better to use 1024bit keys?

-The combination of server running, and client (of course connected to another server) with "Create NAT on tunnel" checked leads to router hang. Router bahaves strangely when the OpenVPN config is written (empty fields), after reboot definitely stops to respond. I had to reset to defaults with reset key to recover. Tested on two routers...

Hi,
first of all, thank you for this fantastic GUI, it really helps.
Two problems I discovered while playing with your mode and WRT54GL:

-I use 2048bit keys; when I tried to configure 2nd server, Tomoato refused to write the proper config. Server crt was always empty. I tried several times, and the only way to manage was shortening of all keys/crts just to lines between BEGIN-END. Is it a lack of nvram area for keys? Better to use 1024bit keys?

-The combination of server running, and client (of course connected to another server) with "Create NAT on tunnel" checked leads to router hang. Router bahaves strangely when the OpenVPN config is written (empty fields), after reboot definitely stops to respond. I had to reset to defaults with reset key to recover. Tested on two routers...

What does "Direct clients to redirect Internet traffic" setting do? If I check mark it, does it mean all the client's internet traffic will route through the router via VPN before it goes out"

Click to expand...

It tells the clients to do that, yes. They can still do some maneuvering on their end to avoid it. But, without deliberate effort, their internet traffic will route through the router via VPN when that option is selected.